Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 TLS handshake timeout #359

Closed
casperdcl opened this issue Sep 3, 2024 · 1 comment
Closed

OAuth2 TLS handshake timeout #359

casperdcl opened this issue Sep 3, 2024 · 1 comment

Comments

@casperdcl
Copy link

casperdcl commented Sep 3, 2024

When trying to authenticate with GitHub at https://sub.mydomain.com/github:

  1. I'm redirected to https://github.com/login/oauth/authorize?client_id=...&redirect_uri=https%3A%2F%2Fauth.sub.mydomain.com%2Foauth2%2Fgithub%2Fauthorization-code-callback&scope=read%3Auser&state=...
  2. then redirected to https://auth.sub.mydomain.com/oauth2/github/authorization-code-callback?code=...&state=... which says Unauthorized
  3. Caddy logs say:
{"level":"warn","ts":1725395929.6400962,"logger":"security",
 "msg":"Authentication failed","session_id":"...","request_id":"...",
 "error":"failed fetching OAuth 2.0 access token: Post \"https://github.com/login/oauth/access_token\": net/http: TLS handshake timeout"}

I've also tried Discord OAuth2:

{"level":"warn","ts":1725432687.607709,"logger":"security",
 "msg":"Authentication failed","session_id":"...","request_id":"...",
 "error":"failed fetching OAuth 2.0 claims: Get \"https://discord.com/api/v10/users/@me\": net/http: TLS handshake timeout"}

and

{"level":"warn","ts":1725434688.457133,"logger":"security",
 "msg":"Authentication failed","session_id":"...","request_id":"...",
 "error":"failed fetching OAuth 2.0 access token: Post \"https://discord.com/api/oauth2/token\": net/http: TLS handshake timeout"}
Configuration
{
  order authenticate before respond
  order authorize before basicauth
  security {
    oauth identity provider github {env.GITHUB_CLIENT_ID} {env.GITHUB_CLIENT_SECRET}
    oauth identity provider discord {
      realm discord
      driver discord
      client_id {env.DISCORD_CLIENT_ID}
      client_secret {env.DISCORD_CLIENT_SECRET}
      scopes identify guilds
      user_group_filters {env.DISCORD_GUILD_ID}
    }
    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify {env.JWT_SHARED_KEY}
      cookie domain sub.mydomain.com
      enable identity provider github
      enable identity provider discord
      ui {
        links {
          "My Identity" "/whoami" icon "las la-user"
        }
      }
      transform user {
        match realm github
        action add role authp/user
        ui link "File Server" https://sub.mydomain.com/github icon "las la-star"
      }
      transform user {
        match realm discord
        action add role authp/user
        ui link "File Server" https://sub.mydomain.com/discord icon "las la-star"
      }
      transform user {
        match realm github
        match sub github.com/casperdcl
        action add role authp/admin
      }
      transform user {
        match realm discord
        match role discord.com/{env.DISCORD_GUILD_ID}/members
        action add role authp/admin
      }
    }
    authorization policy githubpolicy {
      set auth url https://auth.sub.mydomain.com/oauth2/github
      crypto key verify {env.JWT_SHARED_KEY}
      allow roles authp/admin authp/user
      validate bearer header
      inject headers with claims
    }
    authorization policy discordpolicy {
      set auth url https://auth.sub.mydomain.com/oauth2/discord
      crypto key verify {env.JWT_SHARED_KEY}
      allow roles authp/admin authp/user
      validate bearer header
      inject headers with claims
    }
  }
}
auth.sub.mydomain.com {
  tls casperdcl@mydomain.com
  authenticate with myportal
}
sub.mydomain.com {
  tls casperdcl@mydomain.com
  handle_path /discord* {
    authorize with discordpolicy
    root * /share/mydomain.com
    file_server browse
  }
  handle_path /github* {
    authorize with githubpolicy
    root * /share/mydomain.com
    file_server browse
  }
  encode zstd gzip
  log {
    output stdout
  }
}

Version Information

http.authentication.hashes.bcrypt v2.8.4
http.authentication.providers.http_basic v2.8.4
http.handlers.authentication v2.8.4
tls.client_auth.verifier.leaf v2.8.4
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behaviour

https://sub.mydomain.com/{github,discord} should:

  1. redirect to https://github.com/login/oauth/authorize?client_id=...&redirect_uri=https%3A%2F%2Fauth.sub.mydomain.com%2Foauth2%2Fgithub%2Fauthorization-code-callback&scope=read%3Auser&state=... or https://discord.com/oauth2/authorize?client_id=...&redirect_uri=https%3A%2F%2Fauth.sub.mydomain.com%2Foauth2%2Fdiscord%2Fauthorization-code-callback&response_type=code&scope=identify+guilds&state=...
  2. redirect back to https://sub.mydomain.com/{github,discord} and list files
@casperdcl casperdcl changed the title github oauth2 failure oauth2 TLS handshake timeout Sep 4, 2024
@casperdcl casperdcl changed the title oauth2 TLS handshake timeout OAuth2 TLS handshake timeout Sep 4, 2024
@casperdcl
Copy link
Author

casperdcl commented Sep 14, 2024

/CC @0x2b3bfa0 found the fix: https://www.civo.com/learn/fixing-networking-for-docker

ip a | grep to find the max mtu:

networks:
  default:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1450

probably worth documenting somewhere.

@casperdcl casperdcl closed this as not planned Won't fix, can't repro, duplicate, stale Sep 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants